Malware Issues[INACTIVE]

mauilaui

By mauilaui,
in Malware Removal

 Share Followers 0

Recommended Posts

mauilaui

mauilaui

Posted
Posted

Greetings. I am in a bad spot as my laptop has been taken over. I could not tell you what website or email caused my issued, but they are severe. My "home" pag changes on its own to an antivius solicitation (adwareremover2007 or apantiviruspro) and the system is constantly prompting to scan for virus activity. My hijackthis log is below. Thank you greatly in advance for whatever help you can provide.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:54:28 PM, on 12/26/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Common Files\AOL\1139417063\ee\aolsoftware.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\HPQ\SHARED\HPQWMI.exe

c:\program files\common files\aol\1139417063\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe

c:\program files\common files\aol\1139417063\ee\aolsoftware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Trend Micro\Internet Security\UfNavi.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4AAC4708-FE47-4B80-92EF-47406444DDD2} - (no file)

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: (no name) - {6FFE49B7-F475-4EAB-8E80-E5D74C4E8D5F} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: BDEX System - {C2DE4340-CB68-450F-90CD-9BE1A26739D7} - C:\WINDOWS\domnftwmnf.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: The emlkdvo - {47906C8A-7A72-45A8-AA59-0CEC20BD3B36} - C:\WINDOWS\emlkdvo.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9B089F64-D02A-4C6F-A0BC-B79D9EA3D9E8}: NameServer = 85.255.115.155,85.255.112.128

O17 - HKLM\System\CCS\Services\Tcpip\..\{9FE299B7-D42F-44D5-9EFF-19CBB1D76B88}: NameServer = 85.255.115.155,85.255.112.128

O17 - HKLM\System\CCS\Services\Tcpip\..\{DF176388-2A0B-4F27-AFD7-9A9594E821B7}: NameServer = 85.255.115.155,85.255.112.128

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.155 85.255.112.128

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.155 85.255.112.128

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.155 85.255.112.128

O21 - SSODL: bvtqfvx - {5C2E186F-3425-4913-8E62-B5100228571E} - C:\WINDOWS\bvtqfvx.dll

O21 - SSODL: alxvdvm - {9141B5B7-20FB-4498-832A-84F7E47A1BFC} - C:\WINDOWS\alxvdvm.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 9171 bytes

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

Please download SmitfraudFix (by S!Ri) to your Desktop. (Some AV's will say that parts of it are malware, they are not.)

Now, you should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with the combofix log(below).

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post

  • C:\rapport.txt
  • c:\Combofix.txt

in your next reply .

Warning : running option #2 on a non infected computer will remove your Desktop background.

Link to post
Share on other sites
mauilaui

mauilaui

Posted
  • Author
Posted
Please download SmitfraudFix (by S!Ri) to your Desktop. (Some AV's will say that parts of it are malware, they are not.)

Now, you should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with the combofix log(below).

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post

  • C:\rapport.txt
  • c:\Combofix.txt

in your next reply .

Warning : running option #2 on a non infected computer will remove your Desktop background.

Thank you for the instruction. As directed:

SmitFraudFix v2.274

Scan done at 20:47:44.59, Thu 12/27/2007

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted

C:\DOCUME~1\Owner\Desktop\Error Cleaner.url Deleted

C:\DOCUME~1\Owner\Desktop\Privacy Protector.url Deleted

C:\DOCUME~1\Owner\Desktop\Spyware?Malware Protection.url Deleted

C:\DOCUME~1\Owner\FAVORI~1\Error Cleaner.url Deleted

C:\DOCUME~1\Owner\FAVORI~1\Privacy Protector.url Deleted

C:\DOCUME~1\Owner\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9B089F64-D02A-4C6F-A0BC-B79D9EA3D9E8}: DhcpNameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9B089F64-D02A-4C6F-A0BC-B79D9EA3D9E8}: NameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9FE299B7-D42F-44D5-9EFF-19CBB1D76B88}: NameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DF176388-2A0B-4F27-AFD7-9A9594E821B7}: NameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F10AE339-AE5C-4793-9074-737A3C21CD99}: DhcpNameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS1\Services\Tcpip\..\{9B089F64-D02A-4C6F-A0BC-B79D9EA3D9E8}: DhcpNameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS1\Services\Tcpip\..\{9B089F64-D02A-4C6F-A0BC-B79D9EA3D9E8}: NameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS1\Services\Tcpip\..\{9FE299B7-D42F-44D5-9EFF-19CBB1D76B88}: NameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS1\Services\Tcpip\..\{DF176388-2A0B-4F27-AFD7-9A9594E821B7}: NameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS1\Services\Tcpip\..\{F10AE339-AE5C-4793-9074-737A3C21CD99}: DhcpNameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS2\Services\Tcpip\..\{9B089F64-D02A-4C6F-A0BC-B79D9EA3D9E8}: DhcpNameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS2\Services\Tcpip\..\{9B089F64-D02A-4C6F-A0BC-B79D9EA3D9E8}: NameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS2\Services\Tcpip\..\{9FE299B7-D42F-44D5-9EFF-19CBB1D76B88}: NameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS2\Services\Tcpip\..\{DF176388-2A0B-4F27-AFD7-9A9594E821B7}: NameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CS2\Services\Tcpip\..\{F10AE339-AE5C-4793-9074-737A3C21CD99}: DhcpNameServer=85.255.115.155,85.255.112.128

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.115.155 85.255.112.128

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.115.155 85.255.112.128

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.115.155 85.255.112.128

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"="kdgzt.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\kdgzt.exe Deleted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» End

And

ComboFix 07-12-28.1 - Owner 2007-12-27 21:01:50.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.65 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\FunWebProducts

C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html

C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html

C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html

C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html

C:\Program Files\internet explorer\msimg32.dll

C:\Program Files\MediaVideoCodec

C:\Program Files\MediaVideoCodec\install.ico

C:\Program Files\MediaVideoCodec\MediaVideoCodec.ocx

C:\Program Files\MediaVideoCodec\Uninstall.exe

C:\Program Files\MyWebSearch

C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG

C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV

C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT

C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR

C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST

C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR

C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST

C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE

C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S

C:\Program Files\MyWebSearch\bar\Cache\000543C7

C:\Program Files\MyWebSearch\bar\Cache\002689D8

C:\Program Files\MyWebSearch\bar\Cache\01DBD059

C:\Program Files\MyWebSearch\bar\Cache\0446A138.bin

C:\Program Files\MyWebSearch\bar\Cache\0446A251.bin

C:\Program Files\MyWebSearch\bar\Cache\0446A31C.bin

C:\Program Files\MyWebSearch\bar\Cache\0446A3F7.bin

C:\Program Files\MyWebSearch\bar\Cache\0AEB93B9

C:\Program Files\MyWebSearch\bar\Cache\20C471A6.bin

C:\Program Files\MyWebSearch\bar\Cache\20C47EE5.bin

C:\Program Files\MyWebSearch\bar\Cache\20C4806B.bin

C:\Program Files\MyWebSearch\bar\Cache\20C48146.bin

C:\Program Files\MyWebSearch\bar\Cache\20C48202

C:\Program Files\MyWebSearch\bar\Cache\297F776C

C:\Program Files\MyWebSearch\bar\Cache\37811BAD

C:\Program Files\MyWebSearch\bar\Cache\files.ini

C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S

C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S

C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S

C:\Program Files\MyWebSearch\bar\History\search2

C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S

C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S

C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S

C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S

C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S

C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S

C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S

C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S

C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S

C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S

C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S

C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S

C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm

C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat

C:\Program Files\MyWebSearch\bar\Settings\setting2.htm

C:\Program Files\MyWebSearch\bar\Settings\settings.dat

C:\WINDOWS\alxvdvm.dll

C:\WINDOWS\bvtqfvx.dll

C:\WINDOWS\dat.txt

C:\WINDOWS\domnftwmnf.dll

C:\WINDOWS\emlkdvo.dll

C:\WINDOWS\fvkwdrt.exe

C:\WINDOWS\rs.txt

C:\WINDOWS\search_res.txt

.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))

.

2007-12-27 20:48 . 2007-12-27 20:48 3,112 --a------ C:\WINDOWS\system32\tmp.reg

2007-12-27 20:47 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2007-12-27 20:47 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-12-27 20:47 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2007-12-27 20:47 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-12-27 20:47 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-12-27 20:47 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-12-26 19:18 . 2007-09-17 10:09 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys

2007-12-26 19:18 . 2007-09-17 10:09 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys

2007-12-26 19:17 . 2007-12-26 19:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro

2007-12-23 16:56 . 2007-12-23 16:56 <DIR> d-------- C:\WINDOWS\system32\NtmsData

2007-12-23 12:51 . 2007-09-17 10:09 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2007-12-23 12:49 . 2007-12-25 21:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6

2007-12-23 11:58 . 2007-12-25 22:43 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6

2007-12-23 09:57 . 2007-12-26 21:04 <DIR> d-------- C:\Program Files\AdwareRemover2007

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-27 03:19 --------- d-----w C:\Program Files\Trend Micro

2007-12-23 23:35 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-11-24 21:36 --------- d-----w C:\Program Files\Disney

2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-10-30 10:16 3,058,688 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll

2007-10-29 03:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks

2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll

2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll

2007-10-11 06:13 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll

2007-10-11 06:13 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll

2007-10-11 06:13 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll

2007-10-11 06:13 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll

2007-10-11 06:13 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll

2007-10-11 06:13 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll

2007-10-11 06:13 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll

2007-10-11 06:13 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll

2007-10-11 06:13 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll

2007-10-11 06:13 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll

2007-10-11 06:13 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll

2007-10-11 06:13 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll

2007-10-11 06:13 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll

2007-10-11 06:13 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll

2007-10-11 06:13 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll

2007-10-11 06:13 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll

2007-10-11 06:13 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll

2007-10-10 11:16 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 20:07]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 12:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 11:00]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36]

"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 16:11]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 06:12]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 06:11]

"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 17:04]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 14:24]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 14:54]

"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 06:50]

"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-25 20:24]

"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 16:42]

"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-17 10:05]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40]

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 09:18]

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-27 21:09:44

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-12-27 21:10:18

.

2007-12-22 15:26:07 --- E O F ---

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

Click "I accept"

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)

      [*]Scan Options:

      • Scan Archives
      • Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan select My Computer

    [*]The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

    [*]Now click on the Save report button.

    [*]Call it Kaspersky.txt

    [*]Expand the arrow beside "file types" and save as .txt file.

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

*Note

If you have Internet Explorer 7 installed:

If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.

Page will reload and you should be able to carry on scan.

If the KAV log has your email all over it -- please attach it rather than copy/paste.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Followers 0
Go to topic listing